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Summary 

The following report describes information security and data breach notification requirements 
included in the Privacy Act, the Federal Information Security Management Act, Office of 
Management and Budget Guidance, the Veterans Affairs Information Security Act, the Health 
Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, the Federal Trade 
Commission Act, and the Fair Credit Reporting Act. 

Information security laws are designed to protect personally identifiable information from 
compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or other 
situations where unauthorized persons have access or potential access to personally identifiable 
information for unauthorized purposes. Data breach notification laws typically require covered 
entities to implement a breach notification policy, and include requirements for incident reporting 
and handling and external breach notification. 

During the 1 10 th Congress, three data security bills — S. 239 (Feinstein), S. 495 (Leahy), and S. 
1178 (Inouye) — were reported favorably out of Senate committees. Those bills include 
information security and data breach notification requirements. Other data security bills were also 
introduced, including S. 806 (Pryor), S. 1202 (Sessions), S. 1260 (Carper), S. 1558 (Coleman), 
H.R. 516 (Davis), H.R. 836 (Smith), H.R. 958 (Rush), H.R. 1307 (Wilson), H.R. 1685 (Price), 
and H.R. 2124 (Davis). 

For related reports, see CRS Report RL33273, Data Security: Federal Legislative Approaches, by 
Gina Marie Stevens. Also see the Current Legislative Issues web page for “Privacy and Data 
Security” available at http://www.crs.gov. This report will be updated. 
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Introduction 

Numerous data breaches and computer intrusions have been disclosed by the nation’s largest data 
brokers, retailers, educational institutions, government agencies, health care entities, financial 
institutions, and Internet businesses. 1 A data breach occurs when there is a loss or theft of, or 
other unauthorized access to, data containing sensitive personal information that results in the 
potential compromise of the confidentiality or integrity of data. Sensitive personal information 
generally includes an individual’s name, address, or telephone number, in conjunction with the 
individual’s Social Security number, driver’s license number, account number, credit or debit card 
number, or a personal identification number or password. Breach notification laws enacted by 
many states require the disclosure of security breaches involving sensitive personal information. 

In the absence of a comprehensive federal data breach notification law, many states enacted laws 
requiring consumer notice of security breaches of personal data. 2 The majority of states have 
introduced or passed bills to require companies to notify persons affected by breaches involving 
their personal information, and in some cases to implement information security programs to 
protect the security, confidentiality, and integrity of data. As of January 2008, 39 states enacted 
data security laws requiring entities to notify persons affected by security breaches and, in some 
cases, to implement information security programs to protect the security, confidentiality, and 
integrity of data. 3 Six states have reportedly introduced bills designed to strengthen merchant 
security and/or hold companies liable for third party companies’ costs arising from data breaches 
(California, Connecticut, Illinois, Massachusetts, Minnesota, and Texas). 4 

From February 2005 to December 2006, 100 million personal records were reportedly lost or 
exposed. 5 The Privacy Rights Clearinghouse chronicles and reports that over 223 million data 
records of U.S. residents have been exposed due to security breaches since January 2005. 6 In 
2006 the personal data of 26.5 million veterans was breached when a VA employee’s hard drive 
was stolen from his home. In 2007 the retailer TJX Companies revealed that 46.2 million credit 
and debit cards may have been compromised during the breach of its computer network by 
unauthorized individuals. 7 In 2008 the Hannaford supermarket chain revealed that approximately 
4 million debit and credit card numbers were compromised when Hannaford’s computer systems 



1 See generally CRS Report RL33199, Data Security Breaches: Context and Incident Summaries, by Rita Tehan. 

2 See Julie Brill, Vermont Assistant Attorney General, Chart on Comparison of State Security Breach Laws, (updated 
7-12-07). 

3 Arizona. Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, 
Kansas, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Montana, Nebraska, Nevada, New 
Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode 
Island, Tennessee, Texas, Utah, Vermont, Washington, Wisconsin, and Wyoming. National Conference of State 
Legislatures, State Security Breach Notification Laws, at http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm; 
John P. Hutchins, U.S. Data Breach Notification Law: State by State (2007). 

4 See Timothy P. Tobin, In Response To TJX Data Breach, One State Enacts Legislation Imposing New Security and 
Liability Obligations; Similar Bills Pending in Five Other States, at http://privacylaw.proskauer.com/. The Minnesota 
bill was signed into law on May 21, 2007. 2007 Minn. Laws Ch. 108, H.F. 1758. 

5 Tom Zeller, “An Ominous Milestone: 100 Million Data Leaks,” New York Times, December 18, 2006, p. C3. 
Privacy Rights Clearinghouse. A Chronology of Data Breaches, at http://www.privacyrights.org/ar/ 

ChronDataBreaches.htm. 

7 U.S. Securities and Exchange Commission, Form 10-K Annual Report: The TJX Cos., Inc., http://www.sec.gov/ 
Archives/edgar/data/109198/000095013507001906/b 64407tjel0vk.htm. 
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were illegally accessed while the cards were being authorized for purchase. There were 1800 
reported cases of fraud connected to the computer intrusion. 

Data breaches involving sensitive personal information may result in identity theft and financial 
crimes (e.g., credit card fraud, phone or utilities fraud, bank fraud, mortgage fraud, employment- 
related fraud, government documents or benefits fraud, loan fraud, and health-care fraud). 

Identity theft involves the misuse of any identifying information, which could include name, 

SSN, account number, password, or other information linked to an individual, to commit a 
violation of federal or state law. 8 According to the Federal Trade Commission, identity theft is the 
most common complaint from consumers in all 50 states, and accounts for over 35% of the total 
number of complaints the Identity Theft Data Clearinghouse received for calendar years 2004, 
2005, and 2006. In calendar year 2006, of the 674,354 complaints received, 246,035 or 36% were 
identity theft complaints. 9 With continued media reports of data security breaches, 10 concerns 
about new cases of identity theft are widespread. 1 1 

These public disclosures have heightened interest in the security of sensitive personal 
information; in the security of computer systems; in the applicability of existing federal laws to 
the protection of sensitive personal information; in the adequacy of enforcement tools available to 
law enforcement officials and federal regulators; in the business and regulation of data brokers; 12 
in the liability of retailers, credit card issuers, payment processors, banks, and furnishers of credit 
reports for costs arising from data breaches; in remedies available to individuals whose personal 
information was accessed without authorization; 13 in the prosecution of identity theft crimes 
related to data breaches; and in the criminal liability of persons responsible for unauthorized 
access to computer systems. 14 



Federal Information Security and Data Breach 
Notification Laws 

Background 

Because of questions about the applicability of existing federal laws to sensitive personal 
information, this report provides an overview of federal information security and data breach 



3 P.L. 105-318. Identity Theft Assumption and Deterrence Act; 18 U.S.C. § 1028. 

9 Federal Trade Commission, Identity Theft Victim Complaint Data, Feb. 7, 2007, at http://www.ftc.gov/bcp/edu/ 
microsites/idtheft/downloads/clearinghouse_2006.pdf. 

10 See Nancy Trejos, “ Identity Theft Gets Personal: When a Debit Card Number Is Stolen, America ’s New Crime Wave 
Hits Home,” Washington Post at F01 (Jan. 13, 2008). 

1 1 Legislation introduced in response to the increase in data security breaches is discussed in CRS Report RL33273, 
Data Security: Federal Legislative Approaches, by Gina Marie Stevens. 

12 See U.S. Government Accountability Office, Personal Information: Key Federal Privacy Laws Do Not Require 
Information Resellers to Safeguard All Sensitive Data 56, GAO-06-674, June 26, 2006, at http://www.gao.gov/ 
new.items/d06674.pdf. 

13 See CRS Report RL31919, Federal Laws Related to Identity Theft, updated by Gina Marie Stevens. 

14 See CRS Report 97-1025, Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related 
Federal Criminal Laws, by Charles Doyle. 
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notification laws that are applicable to certain entities that own, possess, or license sensitive 
personal information . 15 

Information security laws are designed to protect personally identifiable information from 
compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or other 
situations where unauthorized persons have access or potential access to personally identifiable 
information for unauthorized purposes. Data breach notification laws typically require covered 
entities to implement a breach notification policy, and include requirements for incident reporting 
and handling and external breach notification. 

No single federal law or regulation governs the security of all types of sensitive personal 
information. Determining which federal law, regulation, and guidance is applicable depends in 
part on the entity or sector that collected the information, and the type of information collected. 
Under federal law certain sectors are legally obligated to protect certain types of sensitive 
personal information. These obligations were created, in large part, when federal privacy 
legislation was enacted in the credit, financial services, health care, government, securities, and 
Internet sectors. Federal regulations were issued to require certain entities to implement 
information security programs and provide breach notice to affected persons . 16 

The applicability of a particular law depends in part on the information owner. For example, there 
are federal information security requirements applicable to all federal government agencies and a 
federal information security law applicable to a sole federal department (Veterans Affairs). In the 
private sector, different laws apply to private sector entities engaged in different businesses. This 
is what is commonly referred to as a sectoral approach to the protection of personal information. 

Some critics say that current laws focus too closely on industry-specific uses of information, like 
credit reports or medical data, rather than on protecting the privacy of individuals . 17 Others 
believe the sectoral approach to the protection of personal information reflects not only variations 
in the types of information collected (e.g., government, private sector, health, financial, etc.), but 
also differences in the regulatory framework for particular sectors. Others advocate a national 
standard for entities that maintain personal information in order to harmonize legal obligations . 18 

The type of information collected also determines in part whether a particular law is applicable. 
Information on individuals collected, maintained, or processed by a covered entity is regulated. In 
some cases a law’s scope extends to information created, received, maintained, or transmitted on 
behalf of a covered entity (by a contractor or subcontractor). Another approach taken is where the 
law targets a specific category of information (e.g., federal agency, health, customer financial 



15 For a discussion of Section 222 of the Communications Act of 1934, as amended (47 U.S.C. 222), which establishes 
a duty for telecommunications carrier to protect the confidentiality of customers" customer proprietary network 
information (CPNI), see CRS Report RL34409, Selected Laws Governing the Disclosure of Customer Phone Records 
by Telecommunications Carriers, by Kathleen Ann Ruane. For a discussion of Sections 302 and 404 of the Sarbanes- 
Oxley Act of 2002, P.L. 107-204, which require public companies to ensure that they have implemented appropriate 
information security controls with respect to their financial information, see CRS Report RS22482, Section 404 of the 
Sarbanes-Oxley Act of 2002 (Management Assessment of Internal Controls): Current Regulation and Congressional 
Concerns, by Michael V. Seitzinger. 

1(1 Thomas J. Smedinghoff, “The New Law of Information Security: What Companies Need To Do Now,” 22 The 
Computer & Internet Lawyer 9 (November 2005). 

17 Tom Zeller, Jr., “Breach Points Up Flaws in Privacy Laws, ” New York Times (February 24, 2005). 

IS The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic Plan, April 2007 at 
http://www.identitytheft.gov/reports/StrategicPlan.pdf. 
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information). The medium or format the information is kept in is also frequently relevant 
(electronic, paper, or other form). 

Data breach notification laws typically cover “personally identifiable information” or “sensitive 
personal information” or “individually identifiable information.” Generally included are an 
individual’s name or another personal identifier, social security number, biometric records, date 
and place of birth, and mother’s maiden name. Other information included in some laws is that 
which identifies the individual or with respect to which there is a reasonable basis to believe that 
the information can be used to identify the individual, or information that can be used to 
distinguish or trace the individual’s identity. In some cases, information about an individual’s 
education, financial transactions, medical history, and criminal and employment history may be 
covered. The law governing financial institutions regulates nonpublic personal information. 



Federal Sector 

A newly enacted federal law and recently issued federal guidance require federal agencies that 
collect sensitive personal information to implement enhanced information security programs and 
provide notice to persons affected by data security breaches. The Veterans Affairs Information 
Security Act of 2006 was enacted to prevent and respond to data breaches in the Department of 
Veterans Affairs. The 2007 Office of Management and Budget memorandum on “Safeguarding 
Against and Responding to the Breach of Personally Identifiable Information” requires all federal 
agencies to implement a breach notification policy to safeguard personally identifiable 
information. 

Privacy Act 

The Privacy Act is the principal law governing the federal government’s information privacy 
program. Other relevant federal laws include the Computer Matching and Privacy Protection Act 
of 1988, 19 and Section 208 of the E-Government Act of 2002 which requires agencies to conduct 
privacy impact assessments on new information technology systems and electronic information 
collections. 20 The Privacy Act of 1974 21 governs the collection, use, and dissemination of a 
“record” about an “individual”" maintained by federal agencies in a “system of records.” The 
act defines a “record” as any item, collection, or grouping of information about an individual that 
is maintained by an agency and contains his or her name or another personal identifier. In order 
for an agency record to be protected by the Privacy Act, it must be retrieved by individual name 
or individual identifier. The Privacy Act also applies to systems of records created by government 
contractors. 25 The Privacy Act does not apply to private databases. 



19 5 U.S.C. § 552a note. 

20 44 U.S.C. § 3501 note. 

21 5 U.S.C. § 552a. 

22 5 U.S.C. § 552a(a)(4). 

23 “The term “individual” means a citizen of the United States or an alien lawfully admitted for permanent residence.” 5 
U.S.C. § 552a(2). 

24 The act defines “system of records” as a group of records under the control of any agency from which information is 
retrieved by the name of the individual or by an individual identifier. Id at § 552a(a)(5). 

25 5 U.S.C. § 552 (m). 
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The Privacy Act prohibits the disclosure of any record maintained in a system of records to any 
person or agency without the written consent of the record subject, unless the disclosure falls 
within one of twelve statutory exceptions. The act allows most individuals to seek access to 
records about themselves, and requires that personal information in agency files be accurate, 
complete, relevant, and timely. 26 The subject of a record may challenge the accuracy of 
information. The Privacy Act requires that when agencies establish or modify a system of records, 
they publish a “system-of-records notice” in the Federal Register. 27 

Each agency that maintains a system of records is required to “establish appropriate 
administrative, technical, and physical safeguards to insure the security and confidentiality of 
records and to protect against any anticipated threats or hazards to their security or integrity 
which could result in substantial harm, embarrassment, inconvenience, or unfairness to any 
individual ... ” 28 

The Privacy Act provides legal remedies that permit an individual to seek enforcement of the 
rights granted under the act. The individual may bring a civil suit against the agency. The court 
may order the agency to amend the individual’s record, enjoin the agency from withholding the 
individual’s records, and may award actual damages of $1,000 or more to the individual for 
intentional or wilful violations. 29 Courts may also assess attorneys fees and costs. The act also 
contains criminal penalties; federal employees who fail to comply with the act’s provisions may 
be subjected to criminal penalties. 

The Office of Management and Budget (OMB) is required to prescribe guidelines and regulations 
for the use by agencies in implementing the act, and provide assistance to and oversight of the 
implementation of the act. 30 

Federal Information Security Management Act 

FISMA is the principal law governing the federal government’s information security program. 
Title III of the E-Government Act of 2002, the Federal Information Security Management Act of 
2002 (FISMA), 31 requires federal government agencies to provide information security 
protections for agency information and information systems. 32 Agencies are required to develop, 
document, and implement an agency wide program “providing information security protections 
commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, 



26 5 U.S.C. § 552a(e)(5). 

27 The Federal Register notice must identify, among other things, the type of data collected, the types of individuals 
about whom information is collected, the intended “routine” uses of data, and procedures that individuals can use to 
review and correct personal information. 5 U.S.C. § 552e(4). 

28 5 U.S.C. § 552a(e)(10). 

29 Shortly after the breach of the personal data of 26.5 million veterans in 2006 by the Department of Veterans Affairs, 
veterans groups filed a class-action lawsuit alleging violations of the Administrative Procedure Act and the Privacy 
Act. Vietnam Veterans of America, Inc. et al. V. Nicholson , No. l:06-cv-01038-JR (D. D.C. filed June 6, 2006). 

30 5 U.S.C. § 552a(v). 40 Fed. Reg. 28976 (July 9, 1975). 

31 Title III of the E-Government Act of 2002, P.L. 107-347; 44 U.S.C. § 3541 et seq. ; see CRS Report RL32357, 
Computer Security: A Summary of Selected Federal Laws, Executive Orders, and Presidential Directives, by John D. 
Moteff. 

32 Information security means protecting information and information systems from unauthorized access, use, 
disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability. 44 
U.S.C. § 3542. 
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disclosure, disruption, modification, or destruction of (i) information collected or maintained by 
or on behalf of the agency; and (ii) information systems used or operated by an agency or by a 
contractor of an agency or other organization on behalf of an agency.” 33 

The agency’s information security plan also must include procedures for detecting, reporting, and 
responding to security incidents; notifying and consulting with the Federal information security 
incident center and with law enforcement agencies and relevant Offices of Inspector General. 34 
The National Institute of Standards and Technology (NIST) is responsible for developing 
standards and guidelines for providing adequate information security for all agency operations 
and assets, except for national security systems. Agencies are required to comply with the 
information security standards developed by NIST. 35 Agencies must also conduct, annually, an 
independent evaluation of their security programs. The evaluations are forwarded to the Director 
of the Office of Management and Budget, for an annual report to Congress. 36 The Director’s 
authorities do not include national security systems. 37 

Agency heads are responsible for compliance with FISMA’s requirements and related information 
security policies, procedures, standards, and guidelines, and for ensuring that senior agency 
officials provide information security. The authority to ensure compliance is delegated to the 
agency Chief Information Officer (CIO). FISMA also assigns specific policy and oversight 
responsibilities to the Office of Management and Budget (OMB). 

Office of Management and Budget "Breach Notification Policy" 

In response to recommendations from the President’s Identity Theft Task Force, 38 the Office of 
Management and Budget issued guidance in May 2007 for federal agencies on “Safeguarding 
Against and Responding to the Breach of Personally Identifiable Information.” 39 The OMB 



33 44 U.S.C. § 3544(a)(1)(A). 

34 44 U.S.C. § 3544(b)(7). 

35 44 U.S.C. § 3544(a)(1)(B); 40 U.S.C. § 11331. 

36 See generally Information Security: Agencies Report Progress, but Sensitive Data Remain at Risk: Hearings Before 
the Subcomms. of the House Comm, on Oversight and Government Reform , 1 10 th Cong. 6-8 (2007). available at 
http://www.gao.gov/new.items/d07935t.pdf. 

37 FISMA defines a national security system, in statute, as: 

Any computer system (including any telecommunications system) used or operated by an agency or by a contractor of 
an agency, or other organization on behalf of an agency — 

(i) the function of which — 

(I) involves intelligence activities; 

(II) involves cryptologic activities related to national security; 

(III) involves command and control of military forces; 

(IV ) involves equipment that is an integral part of a weapon or weapons system; 

(V) ...is critical to the direct fulfillment of military or intelligence missions; or 

(ii) is protected at all times by procedures established for information that have been specifically authorized under 
criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense 
or foreign policy. 

The definition explicitly excludes systems that are used for routine administrative and business applications (including 
payroll, finance, logistics, and personnel management applications). P.L. 107-347, § 301(b)(1). 

38 Exec. Order No. 13,402, 71 FR 27945 (2006). 

39 http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf. 
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Memorandum M-07-16 requires all federal agencies to implement a breach notification policy to 
safeguard “personally identifiable information” by August 22, 2007 to apply to both electronic 
systems and paper documents. 40 To formulate their policy, agencies are directed to review 
existing privacy and security requirements, and include requirements for incident reporting and 
handling and external breach notification. In addition, agencies are required to develop policies 
concerning the responsibilities of individuals authorized to access personally identifiable 
information. 

Attachment 1 of the OMB memorandum. Safeguarding Against the Breach of Personally 
Identifiable Information, reemphasizes agencies’ responsibilities under existing law (e.g., the 
Privacy Act and FISMA), executive orders, regulations, and policy to safeguard personally 
identifiable information and train employees. Two new privacy requirements and five new 
security requirements are established. To implement the new privacy requirements, agencies are 
required to review current holdings of ah personally identifiable information to ensure that they 
are accurate, relevant, timely, and complete, and reduced to the minimum necessary amount. 
Within 120 days, agencies must establish a plan to eliminate the unnecessary collection and use 
of social security numbers within eighteen months. Agencies must implement the following five 
new security requirements (applicable to all federal information): encrypt ah data on mobile 
computers/devices carrying agency data; employ two-factor authentication for remote access; use 
a “time-out” function for remote access and mobile devices; log and verify ah computer-readable 
data extracts from databases holding sensitive information; and ensure that individuals and 
supervisors with authorized access to personally identifiable information annually sign a 
document describing their responsibilities. 41 

Attachment 2 of the OMB Memorandum, Incident Reporting and Handling Requirements, applies 
to the breach of personally identifiable information in electronic or paper format. Agencies are 
required to report ah incidents involving personally identifiable information within one hour of 
discovery/detection; and publish a “routine use” 42 under the Privacy Act applying to the 
disclosure of information to appropriate persons in the event of a data breach. 43 

Attachment 3, External Breach Notification, identifies the factors agencies should consider in 
determining when notification outside the agency should be given and the nature of the 
notification. Notification may not be necessary for encrypted information. Each agency is 
directed to establish an agency response team. Agencies must assess the likely risk of harm 
caused by the breach and the level of risk. Agencies should provide notification without 
unreasonable delay following the detection of a breach, but are permitted to delay notification for 
law enforcement, national security purposes, or agency needs. Attachment 3 also includes 
specifics as to the content of the notice, criteria for determining the method of notification, and 
the types of notice that may be used. 



40 The memo defines the term “personally identifiable information” as “information which can be used to distinguish or 
trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when 
combined with other personal or identifying information which is linked or linkable to a specific individual, such as 
date and place of birth, mother’s maiden name, etc.” Id. 

41 The first four information security requirements were adopted in an earlier memorandum. See OMB Memo 06-16, 
“Protection of Sensitive Agency Information” at http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf. 

42 The Privacy Act defines a routine use to mean "with respect to the disclosure of a record, the use of such record for a 
purpose which is compatible with the purpose for which it was collected.” 5 U.S.C. § 552a(a)(7). 

43 OMB Memorandum M-07-16, p.ll. 
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Attachment 4, Rules and Consequences Policy, directs each agency to develop and implement a 
policy outlining rules of behavior and identifying consequences and corrective actions available 
for failure to follow these rules. Supervisors may be subject to disciplinary action for failure to 
take appropriate action upon discovering the breach or failure to take required steps to prevent a 
breach from occurring. Rules of behavior and corrective actions should address the failure to 
implement and maintain security controls for personally identifiable information; exceeding 
authorized access to, or disclosure to unauthorized persons of, personally identifiable 
information; failure to report any known or suspected loss of control or unauthorized disclosure 
of personally identifiable information; and for managers, failure to adequately instruct, train, or 
supervise employees in their responsibilities. Consequences may include reprimand, suspension, 
removal, or other actions in accordance with applicable law and agency policy. 

Veterans Affairs Information Security Act 

Title IX of RL. 109-461, 44 the Veterans Affairs Information Security Act, requires the Veterans 
Administration (VA) to implement agency-wide information security procedures to protect the 
VA’s “sensitive personal information” (SPI) 45 and VA information systems. P.L. 109-461 was 
enacted to respond to the May 2006 breach of the personal data of 26.5 million veterans caused 
by the theft of a VA employee’s hard drive from his home. 46 

Pursuant to P.L. 109-461, the VA’s information security program is to provide for the 
development and maintenance of cost effective security controls to protect VA information, in any 
medium or format, and VA information systems. 47 The information security program is required 
to include the following elements: periodic assessments of the risk and magnitude of harm that 
could result from the unauthorized access, use, disclosure, disruption, modification, or destruction 
of VA information and information systems; policies and procedures based on risk assessments 
that cost-effectively reduce security risks and ensure information security; implementation of 
security controls to protect the confidentiality, integrity, and availability of VA information and 
information systems; plans for security for networks, facilities, systems, or groups of information 
systems; annual security awareness training for employees and contractors and users of VA 
information and information systems; periodic testing of security controls; a process for remedial 
actions; procedures of detecting, reporting, and responding to security incidents; and plans and 
procedures to ensure continuity of operations. Additionally, the VA Secretary is directed to 
comply with FISMA, and other security requirements issued by NIST and OMB. The law also 
establishes specific information security responsibilities for the VA Secretary, information 
technology and information security officials, VA information owners, other key officials, users 
of VA information systems, and the VA Inspector General. 



44 The Veterans Benefits, Health Care, and Information Technology Act of 2006, P.L. 109-461 (December 22, 2006); 
38 U.S.C. §§ 5722 et seq. 

43 “The term “sensitive personal information”, with respect to an individual, means any information about the 
individual maintained by an agency, including the following: (A) Education, financial transactions, medical history, 
and criminal or employment history. (B) Information that can be used to distinguish or trace the individual’s identity, 
including name, social security number, date and place of birth, mother’s maiden name, or biometric records.” P.L. 
109-461, § 902. 

46 See CRS Report RL33612, Department of Veterans Affairs: Information Security and Information Technology 
Management Reorganization, by Sidath Viranga Panangala. 

47 38 U.S.C. § 5722. 
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P.L. 109-461 requires that in the event of a “data breach” 48 of sensitive personal information 
processed or maintained by the VA Secretary, the Secretary must ensure that as soon as possible 
after discovery that either a non-VA entity or the VA’s Inspector General conduct an independent 
risk analysis of the data breach to determine the level of risk associated with the data breach for 
the potential misuse of any sensitive personal information. 49 Based upon the risk analysis, if the 
Secretary determines that a reasonable risk exists of the potential misuse of sensitive personal 
information, the Secretary must provide credit protection services in accordance with regulations 
issued by the VA Secretary. 50 

The VA Secretary is required to report to the Veterans Committees the findings of the independent 
risk analysis for each data breach, the Secretary’s determination regarding the risk for potential 
misuse of sensitive personal data, and the provision of credit protection services. 51 If the breach 
involved the sensitive data of DOD civilian or enlisted personnel the Secretary must also report to 
the Armed Services Committees. 52 In addition, quarterly reports are to be submitted by the VA 
Secretary to the Veterans Committees of Congress on any data breach of sensitive personal 
information processed or maintained by the VA during that quarter. 53 With respect to the breach of 
SPI that the VA Secretary determines to be significant, notice must be provided promptly 
following the discovery of such data breach to the Veterans Committees, and if the breach 
involved the SPI of DOD civilian or enlisted personnel also to the Armed Service Committees. 54 

P.L. 109-461 also requires the VA to include data security requirements in all contracts with 
private-sector service providers that require access to sensitive personal information. 55 All 
contracts involving access to sensitive personal information must include a prohibition of the 
disclosure of such information unless the disclosure is lawful and expressly authorized under the 
contract; and the condition that the contractor or subcontractor notify the Secretary of any data 
breach of such information. In addition, each contract must provide for liquidated damages to be 
paid by the contractor to the Secretary in the event of a data breach with respect to any sensitive 
personal information, and that money shall be made available exclusively for the purpose of 
providing credit protection services. 

P.L. 109-461 requires the Secretary of the VA within 180 days of enactment (by June 22, 2007) to 
issue interim regulations concerning notification, data mining, fraud alerts, data breach analysis, 
credit monitoring, identity theft insurance, and credit protection services. 56 Interim final 
regulations were issued by the VA Deputy Secretary on June 22, 2007 to address data breach 
security regarding sensitive personal information processed or maintained by the VA. 57 The 



4S “Data breach means the loss or theft of, or other unauthorized access to, other than an unauthorized access incidental 
to the scope of employment, data containing sensitive personal information, in electronic or printed form, that results in 
the potential compromise of the confidentiality or integrity of the data.” 38 U.S.C. § 5727(4). 

49 38 U.S. C. § 5724(a)(1). 

50 3 8 U.S. C. § 5724(a)(2). 

51 38 U.S.C. § 5724(c)(1). 

52 38 U.S.C. § 5724(c)(2). 

53 38 U.S.C. § 5726. 

54 38 U.S.C. § 5724(b). 

55 3 8 U.S.C. § 5725. 

56 3 8 U.S. C. § 5724(b). 

57 72 Fed. Reg. 34395 (2007), 38 C.F.R. § 75, Subpart B. The interim final regulations implement the sections of P.L. 
109-461 on data breaches, credit protections services, and reporting requirements. A separate rulemaking will be 
(continued...) 
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regulations do not supercede the requirements imposed by other laws such as the Privacy Act, the 
Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act, and their 
implementing rules. 

Section 75.1 14 of the regulations, Accelerated Response, permits the VA Secretary to provide 
prompt notice to record subjects of a data breach and/or offer credit protection services prior to 
the completion of a risk analysis if the VA Secretary determines that there is an immediate, 
substantial risk of identity theft and that providing notice may enable the record subjects to 
protect themselves and that credit protection services will assist in mitigation of possible harm; or 
that private entities would be required to provide notice under federal law if they experienced a 
breach involving the same or similar information. 

Section 75.1 15 of the regulations, Risk Analysis, requires the VA Secretary to make sure that, as 
soon as possible after the data breach, a non-VA entity with relevant expertise in data breach 
assessment and risk analysis or the VA’s Office of Inspector General conducts an independent risk 
analysis of the data breach. The risk analysis must include a finding with supporting rationale 
concerning whether the circumstances create a reasonable risk that sensitive personal information 
potentially may be misused. The risk analysis must also contain operational recommendations for 
responding to the data breach. 

Section 75.1 16 of the regulations, Secretary Determination, provides that the Secretary consider 
the risk analysis to determine, based on criteria in the regulation, whether a reasonable risk exists 
for the potential misuse of sensitive personal information involved in a data breach. If the 
Secretary finds that a reasonable risk exists for the potential misuse of sensitive personal 
information, the Secretary should take responsive action as specified based on the potential harms 
to individuals subject to a data breach. 

Section 75.1 17 of the regulations, Notification, requires the Secretary to promptly provide written 
notification by first-class mail to individuals found to be subject to a reasonable risk for the 
potential misuse of any sensitive personal information. The notification should include a 
description of what happened, a description of the types of information involved; a description of 
what the agency is doing to investigate the breach, to mitigate losses, and to protect against 
further breaches; contact information for the agency; steps individuals can take to protect 
themselves from the risk of identity theft, including fraud alerts; and a statement whether the 
information was encrypted or otherwise protected. Notification may be delayed pursuant to 
lawful requests from other federal agencies to protect data or computer resources, or prevent 
interference with an investigation or data recovery. 

Section 75.1 18, Other Credit Protection Services, permits the Secretary to offer individuals 
subject to a reasonable risk for potential misuse of SPI, one or more of the following credit 
protection services: one year of credit monitoring services consisting of automatic daily 
monitoring of at least 3 relevant credit bureau reports; data breach analysis; 58 fraud resolution 



(...continued) 

commenced to issue regulations to implement sections of P.L. 109-461 requiring a VA information security program 
and establishing information security responsibilities. Id. 

58 “The term “data breach analysis” means the process used to determine if a data breach has resulted in the misuse of 
sensitive personal information.” 38 U.S.C. § 5727(5). 
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services (including dispute letters, fraud alerts, and credit freezes); and/or one year of identity 
theft insurance with $20,000 coverage and $0 deductible. 



Private Sector 

Other federal laws, such as the Health Insurance Portability and Accountability Act and the 
Gramm-Leach-Bliley Act, require private sector covered entities to maintain administrative, 
technical, and physical safeguards to ensure the confidentiality, integrity, and availability of 
personal information. 

Health Insurance Portability and Accountability Act 

Part C of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 59 requires 
"the development of a health information system through the establishment of standards and 
requirements for the electronic transmission of certain health information.” 60 These 
“Administrative Simplification” provisions require the Secretary of Health and Human Services 
to adopt national standards to: facilitate the electronic exchange of information for certain 
financial and administrative transactions; establish code sets for data elements; protect the privacy 
of individually identifiable health information; maintain administrative, technical, and physical 
safeguards for the security of health information; provide unique health identifiers; and to adopt 
procedures for the use of electronic signatures. 61 

HIPAA covered entities — health plans, health care clearinghouses, and health care providers who 
transmit financial and administrative transactions electronically — are required to comply with the 
national standards and regulations promulgated pursuant to Part C. 62 Under HIPAA, the Secretary 
is required to impose a civil monetary penalty on any person failing to comply with the 
Administrative Simplification provisions in Part C. 63 The maximum civil money penalty (i.e., the 
fine) for a violation of an administrative simplification provision is $100 per violation and up to 
$25,000 for all violations of an identical requirement or prohibition during a calendar year. 64 
HIPAA also establishes criminal penalties for any person who knowingly and in violation of the 
Administrative Simplification provisions of HIPAA uses a unique health identifier, or obtains or 
discloses individually identifiable health information. 65 Enhanced criminal penalties may be 
imposed if the offense is committed under false pretenses, with intent to sell the information or 
reap other personal gain. The penalties include (1) a fine of not more than $50,000 and/or 
imprisonment of not more than one year; (2) if the offense is under false pretenses, a fine of not 
more than $100,000 and/or imprisonment of not more than five years; and (3) if the offense is 



59 P.L. 104-191, 110 Stat. 1936 (1996), codified in part at 42 U.S.C. §§ 1320d et seq.; see CRS Report RL33989, 
Enforcement of the HIPAA Privacy Rule, by Gina Marie Stevens. 

60 42 U.S.C. §§ 1320d — 1320d-8. 

61 42 U.S.C. §§ 1320d-2(a)-(d). HHS has issued final regulations to adopt national standards for transactions and code 
sets, privacy, security, and employer identifiers. 

62 42 U.S.C. § 1320d-4(b) requires compliance with the regulations within a certain time period by “each person to 
whom the standard or implementation specification [adopted or established under sections 1320d-l and 1320d-2] 
applies. 

63 42 U.S.C. § 1320d-5(a). 

64 42 U.S.C. § 1320d-5(a)(l). 

65 42 U.S.C. § 1320d-6. 
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with intent to sell, transfer, or use individually identifiable health information for commercial 
advantage, personal gain, or malicious harm, a fine of not more than $250,000 and/or 
imprisonment of not more than 10 years. 66 These penalties do not affect other penalties imposed 
by other federal programs. 

Privacy Standard 

HIPAA requires health plans, health care clearinghouses, and health care providers who transmit 
financial and administrative transactions electronically to ensure the privacy of medical records 
and to prohibit the disclosure of certain information without patient consent. 67 The HIPAA 
Privacy Rule issued by HHS in 2002 requires a covered entity to maintain reasonable and 
appropriate administrative, technical, and physical safeguards to prevent use or disclosure of 
protected health information in violation of the Privacy Rule. 68 The Office of Civil Rights (OCR) 
in HHS enforces the Privacy Rule. 69 

Security Standards 

Regulations governing security standards under HIPAA require health care covered entities to 
maintain administrative, technical, and physical safeguards to ensure the confidentiality, integrity, 
and availability of electronic “protected health information” 70 ; to protect against any reasonably 
anticipated threats or hazards to the security or integrity of such information, as well as protect 
against any unauthorized uses or disclosures of such information. 71 The Centers for Medicare and 
Medicaid Services (CMS) has been delegated authority to enforce the HIPAA Security Standard. 72 

The Security Rule applies only to protected health information in electronic form (EPHI), and 
requires a covered entity to ensure the confidentiality, integrity, and availability of all EPHI the 
covered entity creates, receives, maintains, or transmits. Covered entities must protect against any 
reasonably anticipated threats or hazards to the security or integrity of such information, and any 
reasonably anticipated uses or disclosures of such information that are not permitted or required 
under the Privacy Rule; and ensure compliance by its workforce. 73 

The Security Rule allows covered entities to consider such factors as the cost of a particular 
security measure, the size of the covered entity involved, the complexity of the approach, the 



66 42 U.S.C. § 1320d-6(b). 

67 45 C.F.R. Part 164 Subpart E — Privacy of Individually Identifiable Health Information. 

68 45 C.F.R. § 164.530(c). 

69 65 Fed. Reg. 82381. 

7(1 “The term “individually identifiable health information” means any information, including demographic information 
collected from an individual, that - (A) is created or received by a health care provider, health plan, employer, or health 
care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, 
the provision of health care to an individual, or the past, present, or future payment for the provision of health care to 
an individual, and - (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that 
the information can be used to identify the individual. 42 U.S.C. § 1320d(6). 

71 HIPAA Security Standards for the Protection of Electronic Personal Health Information, 45 C.F.R. Part 164 
(February 20, 2003). 

72 See generally, Centers for Medicare and Medicaid Services, Security Materials at http://www.cms.hhs.gov/ 
EducationMaterials/04_SecurityMaterials.asp#TopOfPage. 

73 45 C.F.R. § 164.306(a). 
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technical infrastructure and other security capabilities in place, and the nature and scope of 
potential security risks. The Security Rule establishes “standards” that covered entities must meet, 
accompanied by implementation specifications for each standard. The Security Rule identifies 
three categories of standards: administrative, physical, and technical. 

The Security Rule requires covered entities to enter into agreements with business associates who 
create, receive, maintain or transmit EPHI on their behalf. Under such agreements, the business 
associate must: implement administrative, physical and technical safeguards that reasonably and 
appropriately protect the confidentiality, integrity and availability of the covered entity’s 
electronic protected health information; ensure that its agents and subcontractors to whom it 
provides the information do the same; and report to the covered entity any security incident of 
which it becomes aware. The contract must also authorize termination if the covered entity 
determines that the business associate has violated a material term. A covered entity is not liable 
for violations by the business associate unless the covered entity knew that the business associate 
was engaged in a practice or pattern of activity that violated HIPAA, and the covered entity failed 
to take corrective action. 

Gramm-Leach-Bliley Act 

Title V of the Gramm-Leach-Bliley Act of 1999 (GLBA) requires financial institutions to provide 
customers with notice of their privacy policies, and requires financial institutions to safeguard the 
security and confidentiality of customer information, to protect against any anticipated threats or 
hazards to the security or integrity of such records; and to protect against unauthorized access to 
or use of such records or information which could result in substantial harm or inconvenience to 
any customer. 74 Financial institutions are defined as businesses that are engaged in certain 
“financial activities” described in Section 4(k) of the BankHolding Company Act of 1956 and 
accompanying regulations. 75 Such activities include traditional banking, lending, and insurance 
functions, along with other financial activities. Financial institutions are prohibited from 
disclosing “nonpublic personal information” 76 to non-affiliated third parties without providing 
customers with a notice of privacy practices and an opportunity to opt-out of the disclosure. A 
number of statutory exceptions are provided to this disclosure rule, including that financial 
institutions are permitted to disclose nonpublic personal information to a non-affiliated third party 
to perform services for or functions on behalf of the financial institution. 



74 15 U.S.C. § 6801 - 6809. 

75 12 U.S.C. § 1843(k). 

76 (4) Nonpublic personal information. 

(A) The term “nonpublic personal information” means personally identifiable financial information — 

(i) provided by a consumer to a financial institution; 

(ii) resulting from any transaction with the consumer or any service performed for the consumer; or 

(iii) otherwise obtained by the financial institution. 

(B) Such term does not include publicly available information, as such term is defined by the regulations prescribed 
under section 6804 of this title. 

(C) Notwithstanding subparagraph (B), such term — 

(i) shall include any list, description, or other grouping of consumers (and publicly available information pertaining to 
them) that is derived using any nonpublic personal information other than publicly available information; but 

(ii) shall not include any list, description, or other grouping of consumers (and publicly available information pertaining 
to them) that is derived without using any nonpublic personal information. 15 U.S.C. § 6809(4). 
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Privacy Rule 

Regulations implementing GLBA’s privacy requirements published by the federal banking 
regulators govern the treatment of nonpublic personal information about consumers by financial 
institutions, 77 require a financial institution in specified circumstances to provide notice to 
customers about its privacy policies and practices, describe the conditions under which a financial 
institution may disclose nonpublic personal information about consumers to nonaffiliated third 
parties, and provide a method for consumers to prevent a financial institution from disclosing that 
information to most nonaffiliated third parties by “opting out” of that disclosure, subject to 

• 78 

exceptions. 

FTC Safeguards Rule 

This rule implements GLBA’s requirements for entities under FTC jurisdiction. The Safeguards 
Rule applies to all businesses, regardless of size, that are “significantly engaged” in providing 
financial products or services. These include, for example, check-cashing businesses, payday 
lenders, mortgage brokers, nonbank lenders, real estate appraisers, and professional tax preparers. 
The Safeguards Rule also applies to companies like credit reporting agencies and ATM operators 
that receive information about the customers of other financial institutions. The rule requires 
financial institutions to have an information security plan that “contains administrative, technical, 
and physical safeguards” to “insure the security and confidentiality of customer information: 
protect against any anticipated threats or hazards to the security or integrity of such information; 
and protect against unauthorized access to or use of such information that could result in 
substantial harm or inconvenience to any customer.” 79 Using its authority under the Safeguards 
Rule, the Commission has brought a number of enforcement actions to address the failure to 
provide reasonable and appropriate security to protect consumer information. 80 

Information Security Guidelines 

Section 501(b) of GLB A requires the banking agencies to establish standards for financial 
institutions relating to administrative, technical, and physical safeguards to ensure the security, 
confidentiality, and integrity of customer information, protect against any anticipated threats or 
hazards to the security or integrity of such information, and protect against unauthorized access to 
or use of such information that could result in substantial harm or inconvenience to any customer. 

Interagency Guidance issued by the federal banking regulators applies to customer information 
which is defined as “any record containing nonpublic personal information ... about a customer, 
whether in paper, electronic, or other form, that is maintained by or on behalf of’ a financial 



77 16 C.F.R. Part 13 (FTC); 12 C.F.R. Parts 40 (OCC), 216 (FRB), 332 (FDIC), 573 (OTS), and 716 (NCUA). 

78 See generally, 12 C.F.R. 225.28, 225.86. 

79 Standards for Insuring the Security, Confidentiality, Integrity and Protection of Customer Records and Information, 
16 C.F.R. Part 314. 

80 For information on enforcement actions the Commission has brought involving the privacy of consumer information 
under Section 5 of the FTC Act, see http://www.ftc.gov/privacy/privacyinitiatives/safeguards_enf.html. 

81 See 12 C.F.R. Part 30, App. B (national banks); 12 C.F.R. Part 208App. D-2 and Part 255, App. F (state member 
banks and holding companies); 12 C.F.R. Part 364, App. B (state non-member banks); 12 C.F.R. Part 570. App. B 
(savings associations; 12 C.F.R. Part 748, App. A (credit unions). 
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institution .” 82 The security guidelines direct each financial institution to assess the risks of 
reasonably foreseeable threats that could result in unauthorized disclosure, misuse, alteration, or 
destruction of customer information and customer information systems, the likelihood and 
potential damage of threats, and the sufficiency of policies, procedures, customer information 
systems, and other controls. Following the assessment of risks, the security guidelines require a 
financial institution to manage and control the risk through the design of a program to address the 
identified risks, train staff to implement the program, regularly test the key controls, systems, and 
procedures of the information security program, and develop and maintain appropriate measures 
to dispose of customer information. The security guidelines also direct every financial institution 
to require its service providers by contract to implement appropriate measures designed to protect 
against unauthorized access to or use of customer information that could result in substantial 
harm or inconvenience to any customer. Each financial institution is required to monitor, 
evaluate, and adjust its information security program as necessary. Finally, each financial 
institution is required to report to its board at least annually on its information security program, 
compliance with the security guidelines, and issues such as risk assessment, risk management and 
control decisions, service provider arrangements, results of testing, security breaches or violations 
and management’s responses, and recommendations for changes in the information security 
program. 

Response Programs for Unauthorized Access to Customer Information and 
Customer Notice 

The security guidelines recommend implementation of a risk-based response program, including 
customer notification procedures, to address unauthorized access to or use of customer 
information maintained by a financial institution or its service provider that could result in 
substantial harm or inconvenience to any customer, and require disclosure of a data security 
breach if the covered entity concludes that “misuse of its information about a customer has 
occurred or is reasonably possible .” 83 Pursuant to the guidance, substantial harm or inconvenience 
is most likely to result from improper access to “sensitive customer information .” 84 

At a minimum, an institution’s response program should contain procedures for: assessing the 
nature and scope of an incident and identifying what customer information systems and types of 
customer information have been accessed or misused; notifying its primary federal regulator 
when the institution becomes aware of an incident involving unauthorized access to or use of 
sensitive customer information; consistent with the Agency’s Suspicious Activity Report (“SAR”) 
regulations, notifying appropriate law enforcement authorities; taking appropriate steps to contain 
and control the incident to prevent further unauthorized access to or use of customer information 



82 See Board of Governors Federal Reserve System, The Commercial Bank Examination Manual, Supp. 27, 984-1034 
(May 2007), at http://www.federalreserve.gov/boarddocs/SupManual/cbem/200705/0705cbem.pdf. 

83 Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer 
Notice, Part III of Supplement A to Appendix, at 12 C.F.R. Part 30 (OCC), Supplement A to Appendix D-2, at 12 
C.F.R. Part 208 (Federal Reserve System), 12 C.F.R. Part 364 (FDIC), and 12 C.F.R. Part 568 (Office of Thrift 
Supervision), 70 Fed. Reg. 15736 - 15754 (March 29, 2005). 

84 “Sensitive customer information means a customer's name, address, or telephone number, in conjunction with the 
customer’s social security number, driver's license number, account number, credit or debit card number, or a personal 
identification number or password that would permit access to the customer’s account. Sensitive customer information 
also includes any combination of components of customer information that would allow someone to log onto or access 
the customer's account, such as user name and password or password and account number.” 70 Fed. Reg. 15736-15754 
(March 29, 2005). 
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(e.g., by monitoring, freezing, or closing affected accounts and preserving records and other 
evidence); and notifying customers when warranted. 

The security guidelines note that financial institutions have an affirmative duty to protect their 
customers’ information against unauthorized access or use, and that customer notification of a 
security breach involving the customer’s’s information is a key part of that duty. The guidelines 
prohibit institutions from forgoing or delaying customer notification because of embarrassment or 
inconvenience. 

The guidelines provide that when a financial institution becomes aware of an incident of 
unauthorized access to sensitive customer information, the institution should conduct a reasonable 
investigation to promptly determine the likelihood that the information has been or will be 
misused. If the institution determines that misuse has occurred or is reasonably possible, it should 
notify the affected customer as soon as possible. Customer notice may be delayed if an 
appropriate law enforcement agency determines that notification will interfere with a criminal 
investigation and provides the institution with a written request for the delay. The institution 
should notify its customers as soon as notification will no longer interfere with the investigation. 

If a financial institution can determine which customers’ information has been improperly 
accessed, it may limit notification to those customers whose information it determines has been 
misused or is reasonably likely to be misused. In situations where the institution determines that a 
group of files has been accessed improperly, but is unable to identify which specific customers’ 
information has been accessed, and the institution determines that misuse of the information is 
reasonably possible, it should notify all customers in the group. The guidelines also address what 
information should be included in the notice sent to the financial institution’s customers. 

Federal Trade Commission Act 

The Federal Trade Commission (FTC), an independent agency of the U.S. government, was 
established by the Federal Trade Commission Act of 1914 (FTCA). 85 Its principal mission is the 
promotion of consumer protection and the elimination and prevention of anticompetitive business 
practices. The Commission’s jurisdiction extends to a variety of entities and individuals operating 
in commerce. The FTC has taken a multi-faceted approach to protecting the privacy and security 
of consumers’ personal information. Its enforcement tools include laws and regulations such as 
the Safeguards Rule issued under the Gramm-Leach-Bliley Act, which requires financial 
institutions to take reasonable measures to protect customer data, and the Disposal Rule under the 
FACT Act which requires companies to dispose of credit report data in accord with a set of 
practices designed to prevent others from using that data without authorization. 86 

Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting 
commerce.” 87 Unfair practices are practices that cause or are likely to cause consumers 
substantial injury that is neither reasonably avoidable by consumers not offset any countervailing 
benefit to consumers or competition. 88 A representation, omission, or practice is deceptive if (1) it 



85 15 U.S.C. §§41-58. 

86 See CRS Report RL32535, Implementation of the Fair and Accurate Credit Transactions (FACT) Act of 2003, by 
Angie A. Welborn and Grace Chu. 

87 15 U.S.C. §§ 45(a). 



15 U.S.C. § 45 (n). 



Congressional Research Service 



16 




http://wikileaks.org/wiki/CRS-RL34120 



Federal Information Security and Data Breach Notification Laws 



is likely to mislead consumers acting reasonably under the circumstances; and (2) it is material — 
likely to affect consumers’ conduct or decisions with respect to the product at issue. 89 

The Commission has used Section 5 to challenge deceptive claims companies have made about 
the privacy and security of their customers’ personal information. In deceptive security claims 
cases the FTC alleged that the companies had made promises to take reasonable steps to protect 
sensitive consumer information, and that they did not implement reasonable and appropriate 
measures to protect the sensitive personal information obtained from customers against 
unauthorized access. 90 In unfair practices cases, the FTC has alleged that a company’s failure to 
employ reasonable and appropriate security measures to protect consumers’ personal information 
caused or was likely to cause substantial injury to consumers that was not offset by countervailing 
benefits to consumers or competition and was not reasonably avoidable by consumers. 

In cases where the FTC did not have authority to assess civil money penalties, the FTC entered 
into consent orders requiring the defendants to implement information security programs (e.g., 
B.J.’s Wholesale Club, DSW, Inc., and Card Systems). In a recent case where violations of the 
Federal Trade Commission Act and the Fair Credit Reporting Act were alleged, the largest civil 
money penalty ever by the FTC ($10 million) was assessed. 

Fair Credit Reporting Act, as amended by the Fair and Accurate Transactions 
Act of 2003 

The Fair Credit Reporting Act of 1970 (FCRA) regulates credit bureaus, entities or individuals 
who uses credit reports, and businesses that furnish information to credit bureaus. 91 “[A] major 
purpose of the Act is the privacy of a consumer’s credit-related data.” 92 Consumer reporting 
agencies, also known as credit bureaus, have particular responsibilities with respect to ensuring 
that a consumer’s information is used only for purposes that are permissible under the act, 93 for 
ensuring that “reasonable procedures” are employed (including making reasonable efforts to 
verify the identity of each new prospective user of consumer report information and the uses 
certified by each prospective user prior to furnishing such user a consumer report) to ensure that 
consumer reports are supplied only to those with a permissible purpose, 94 and for correcting 
information in a consumer’s report that may be incorrect or the result of fraud. 95 Permissible 
purposes include decisions involving credit, insurance, or employment. 96 A consumer reporting 
agency is also permitted to provide reports to persons having “a legitimate business need” for the 
information in connection with a consumer-oriented transaction. The Act and its requirements 



89 Cliffdale Associates Inc., 103 F.T.C. 110(1984). 

90 For information on enforcement actions involving the privacy of consumer information under Section 5 of the FTC 
Act, see http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html. 

91 15 U.S.C. §§ 1681 - 1681x, as amended. 

92 Trans Union Corp. v. FTC , 81 F.3d 228, 234 (D.C. Cir. 1996). 

93 15 U.S.C. § 1681e(a). 

94 15 U.S.C. § 1681e. 

95 For a detailed discussion of the Fair Credit Reporting Act, see CRS Report RL3 1666, Fair Credit Reporting Act: 
Rights and Responsibilities, by Margaret Mikyung Lee. 

96 15 U.S.C. § 1681b. 
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only apply to entities that fall within the definition of a “consumer reporting agency,” 97 and only 
to products that fall within the definition of a “consumer report.” 98 

The Fair and Accurate Transactions Act (“FACT Act”) amended FCRA, adding requirements 
designed to prevent identity theft and assist identity theft victims. The FACT Act also included a 
provision requiring financial regulatory 99 agencies and the FTC to promulgate a coordinated rule 
designed to prevent unauthorized access to consumer report information by requiring reasonable 
procedures for the proper disposal of such information. 

The Federal Trade Commission enforces the FCRA. A violation under the FCRA is deemed to be 
an unfair or deceptive act or practice in violation of section 5(a) of the FTC Act. There are various 
penalties for violating the FCRA, the applicability of a particular provision depends on such 
factors as who brings the action and the degree of the violator’s noncompliance. For example, the 
Act imposes liability for both willful noncompliance and negligent noncompliance. 100 The 
monetary penalties include actual damages sustained by a consumer, plus costs and attorneys 
fees. In the case of willful violations, the court may also award punitive damages to a consumer. 
Any person who procures a consumer report under false pretenses, or knowingly without a 
permissible purpose, is liable for $1000 or actual damages (whichever is greater) to both the 
consumer and to the consumer reporting agency. 101 Also, the Act governs enforcement actions 
brought by the Commission, other agencies, and the states, and provides for various monetary and 
injunctive penalties. 102 For those who knowingly violate the FCRA, the monetary penalties 
include up to $2500 per violation in a civil action brought by the Commission. 103 



The Payment Card Industry Data Security Standard 

The payment card industry has also issued security standards and reporting requirements for 
organizations that handle bank cards. 104 The Payment Card Industry Data Security Standard (PCI 
DSS) is an industry regulation developed by VISA, MasterCard, and other bank card distributors. 
It requires organizations that handle bank cards to conform to security standards and follow 
certain leveled requirements for testing and reporting. The core of the PCI DSS is a group of 
principles and accompanying requirements designed to build and maintain a secure network, 



97 The FCRA defines “consumer reporting agency” as "any person which, for monetary fees, dues, or on a cooperative 
nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit 
information or other information on consumers for the purpose of furnishing consumer reports to third parties, and 
which uses any means or facility of interstate commerce for the puipose of preparing or furnishing consumer reports.” 
15U.S.C. § 1681a(f). 

’ s A “consumer report” is “any written, oral, or other communication of any information by a consumer reporting 
agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, 
personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the 
purpose of serving as a factor in establishing the consumer’ s eligibility for credit or insurance to be used primarily for 
personal, family, or household purposes; employment purposes; or any other purpose authorized under section 604 [of 
the FCRA].” 15 U.S.C. § 1681a(d). 

"P.L. 108-159, 117 Stat. 1952. 

100 15 U.S.C. § 1681n(a). 

101 15 U.S.C. § 1681n(b). 

102 15 U.S.C. § 1681s. 

103 15 U.S.C. § 1681s(2)(A). 

104 Available at https://www.pcisecuritystandards.org/pdfs/pci_dss_vl-l.pdf. 
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http://wikileaks.org/wiki/CRS-RL34120 



Federal Information Security and Data Breach Notification Laws 



protect cardholder data, maintain a vulnerability management program, implement strong access 
control measures, monitor and test networks, and maintain an information security policy. PCI 
DSS went into effect December 31, 2006. Legislation has been passed in the Texas House 
mandating compliance with the PCI DSS standard. 105 
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105 See, 2007 Tex. H. B. No. 3222 which mandates PCI DSS compliance, and provides a safe harbor under the statute if 
the business that suffered the data breach was in compliance with PCI DSS 90 days before the date of the security 
breach. 
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